[BlueOnyx:00564] Re: Brian type permissions question..

Tobias Gablunsky t.gablunsky at cbxnet.de
Wed Feb 18 15:00:07 -05 2009 

Could using suPHP (http://www.suphp.org) be an option?

"...suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter..."

Because with changing the permissions of files you get at least one more problem than already discussed:  the quota count gets wrong!

Because we already have this problem with users and their cms'es I would really like this!

Tobias.

-----Ursprüngliche Nachricht-----
Von: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] Im Auftrag von Michael Stauber
Gesendet: Mittwoch, 18. Februar 2009 20:04
An: BlueOnyx General Mailing List
Betreff: [BlueOnyx:00559] Re: Brian type permissions question..

Hi Jeff,

> Wow. You know that is EXACTLY what Brian would have said! And it
> worked! So now I really am suspicious!

Hehehe. "Barkeeper! I take one of those that Jeff had. Must be good stuff!" 
:o)

> So now my file UIDs are all apache, but from what you say - uploading
> via FTP (user admin say) is going to replace the UID back to admin and
> cause another problem.
>
> Are you saying that after FTPing my files up - I'm going to have to
> manually change each one back to apache?

Yes, that's correct.

> Or (mini Brian-wave) if I upload using the site administrator account
> - this should be in the site1 group, and therefore should work.
>
> Am I right? Or have I just completely exposed to the world my complete
> misunderstanding of linux permissions..?

Let me put it this way: Uploading by FTP as siteAdmin or "admin" should always 
work - even in this scenario. Because both of these belong to site1 - as you 
said.

However, the problem is: Apache doesn't belong to group "site1". So whenever 
your PHP script tries to overwrite a file that you uploaded by FTP, then that 
script will fail.

Likewise: If you create a folder by FTP and want that PHP script to store 
files in there, then it can't. Because the folder is not owned by UID 
"apache".

Adding user "apache" to all site groups would solve this issue, but it creates 
a hell of a security hole. Because customer X could create a script that reads 
from and writes to everyone elses webspace. The "open_basedir" restrictions 
can typically prevent that kind of malice, but I wouldn't bet the farm on it. 
So that's a big no-go area. Using PHP as mod_cgi would be another alternative, 
but it has other drawbacks.

Hence we may go another route here: Add a checkbox to the GUI where the 
siteAdmin user (or higher)  can toggle all files and folders of the webspace 
back and forth between being owned by siteAdmin and/or Apache. 

If done that way you could simply upload something by FTP and then toggle that 
checkbox in the GUI and everything will be chown'ed in a fashion that your PHP 
script is happy.

-- 
With best regards

Michael Stauber

_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list